This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "RIA Security Smackdown"

From OWASP
Jump to: navigation, search
Line 8: Line 8:
 
* JFX (Sun Java)
 
* JFX (Sun Java)
 
* Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
 
* Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
*Google Gears - local storage component with JavaScript API (Same Origin all the way down)
+
* Google Gears - local storage component with JavaScript API (Same Origin all the way down)
 
* AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV
 
* AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV
  
Line 16: Line 16:
 
* Threat from malicious developers (sandbox?)
 
* Threat from malicious developers (sandbox?)
  
==Basic Problems==
 
 
* Anyone going to this model will have to deal with how to handle sensitive information and sensitive functions on the client.
 
* Is there sharing of data between users?  Download someone else's data into your application?
 
* How do you separate code from data?  Does any data contain anything that might get interpreted? HTML, XML, JSON, Javascript, ???
 
* How does data move between the RIA and the server?  Is it just data or is embedded code possible?
 
* How do you separate one app from another app within the VM (same for DB)
 
* What happens when you move outside the browser?  You lose the protection that the browser sandbox afford.
 
* Mashups?
 
* Connections between an RIA and an app running inside the browser (to steal SESSION)
 
* What level of interaction is allowed with the browser and the DOM?  Is there an API to interact with DOM?  Can you interact with other components in the DOM?
 
* How is interaction with native code allowed?
 
* How is interaction with the code of the RIA platform allowed?  Can you modify platform (Backbase)
 
* How is information passed to the VM to restrict its behavior to comply with the Same Origin Policy
 
* Protected against DNS pinning? Use TLS Certificates?
 
  
 
==References==
 
==References==
Line 36: Line 21:
 
AIR - http://www.flashsec.org, http://www.wisec.it.en/Docs/flash_App_testing_Owasp07.swf
 
AIR - http://www.flashsec.org, http://www.wisec.it.en/Docs/flash_App_testing_Owasp07.swf
  
 
+
==Results==
==Criteria==
 
 
 
* Cross platform
 
* Local File system access
 
* Network access
 
* Built-in Database
 
* HTML
 
* JavaScript
 
* Support for cross-domain policy (crossdomain.xml)
 
* Windowing
 
* Drag and Drop
 
*
 
  
  
 +
==Basic Problems==
  
Organizations have been rated on the following five characteristics:
+
Key
 +
* (A) - Allowed
 +
* (LD) - Limited by developer
 +
* (LU) - Limited by user
 +
* (D) - Denied
  
; 1. Adobe AIR
 
: The
 
  
; 2.
 
: The
 
  
; 3. Flex
 
: The
 
  
; 4. Flex
 
: The
 
  
; 5. Flex
 
: The
 
  
==Scoring==
 
  
 
{|class="wikitable sortable" style="text-align: center;" width="100%"
 
{|class="wikitable sortable" style="text-align: center;" width="100%"
 
|-
 
|-
 
! RIA Framework
 
! RIA Framework
! width="14%" | 1. Awareness
+
! width="14%" |
! width="14%" | 2. Requirements
+
! width="14%" | Java Applet
! width="14%" | 3. Verification
+
! width="14%" | Adobe Flash
! width="14%" | 4. AppSec Team
+
! width="14%" | Google Gears
! width="14%" | 5. Response
+
! width="14%" | Java FX (JFX)
! width="14%" | Score
+
! width="14%" | MS Silverlight
 +
! width="14%" | Adobe AIR
 +
|-
 +
| '''Persistence''' - Does the RIA framework allow data to be persisted in the client?
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
|-
 +
| '''Roles''' - Does the RIA framework enable multiple roles to use the same client?
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
|-
 +
| '''Sharing''' - Does the RIA framework allow sharing of data?
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
|-
 +
| '''Exchange''' - Does the RIA framework use data formats that scramble data and code (HTML, JSON)
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
|-
 +
| '''Pipes''' - Does the RIA framework allow multiple applications to communicate with each other on the client?
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
|-
 +
| '''Files''' - Does the RIA framework have access to the local file system?
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
|-
 +
| '''Sockets''' - Does the RIA framework have access to local network sockets?
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
|-
 +
| '''Windows''' - Does the RIA framework have the ability to create windows?
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
|-
 +
| '''Devices''' - Does the RIA framework have the ability to access local cameras and microphones?
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
|-
 +
| '''Native''' - Does the RIA framework have access to local native code or executables?
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
|-
 +
| '''DOM''' - Does the RIA framework have access to the DOM?
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 +
| A
 
|-  
 
|-  
|  
+
| '''Controls''' - Does the RIA framework have access to other components within the DOM?
| [http://msdn2.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic3_2 Full]
+
| A
| [http://msdn2.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic2_1 Full]
+
| A
| [http://msdn2.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic2_4 Full]
+
| A
| [http://msdn2.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic3_4 Full]
+
| A
| [http://msdn2.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic2_6 Full]
+
| A
| 10
+
| A
 
|-  
 
|-  
| [http://www.oracle.com Oracle]
+
| '''Self-Modify''' - Can an RIA modify the RIA framework?
| [http://www.oracle.com/security/docs/software-security-assurance-process.pdf Full]
+
| A
| None
+
| A
| [http://www.oracle.com/security/secure-development-processes.html Partial]
+
| A
| None
+
| A
| [http://www.oracle.com/security/software-security-assurance.html Full]
+
| A
| 5
+
| A
 
|-  
 
|-  
| [http://www.foobar.com Foobar]
+
| '''DNS Pinning''' - Does the RIA framework protect against DNS pinning?
| [http://link Full]
+
| A
| [http://link Full]
+
| A
| [http://link Full]
+
| A
| [http://link Full]
+
| A
| [http://link Full]
+
| A
| ?
+
| A
 
|}
 
|}
  
  
 
__NOTOC__
 
__NOTOC__

Revision as of 05:32, 24 August 2007

Notes from the OWASP Washington chapter meeting where we discussed:

  • FLEX (Adobe) - development environment for Flash Apps
  • Flash Studio for movies
  • Java Applet
  • Flash 7
  • JFX (Sun Java)
  • Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
  • Google Gears - local storage component with JavaScript API (Same Origin all the way down)
  • AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV

Threat Agents

  • Threat from external attackers
  • Threat from malicious developers (sandbox?)


References

AIR - http://www.flashsec.org, http://www.wisec.it.en/Docs/flash_App_testing_Owasp07.swf

Results

Basic Problems

Key

  • (A) - Allowed
  • (LD) - Limited by developer
  • (LU) - Limited by user
  • (D) - Denied




RIA Framework Java Applet Adobe Flash Google Gears Java FX (JFX) MS Silverlight Adobe AIR
Persistence - Does the RIA framework allow data to be persisted in the client? A A A A A A
Roles - Does the RIA framework enable multiple roles to use the same client? A A A A A A
Sharing - Does the RIA framework allow sharing of data? A A A A A A
Exchange - Does the RIA framework use data formats that scramble data and code (HTML, JSON) A A A A A A
Pipes - Does the RIA framework allow multiple applications to communicate with each other on the client? A A A A A A
Files - Does the RIA framework have access to the local file system? A A A A A A
Sockets - Does the RIA framework have access to local network sockets? A A A A A A
Windows - Does the RIA framework have the ability to create windows? A A A A A A
Devices - Does the RIA framework have the ability to access local cameras and microphones? A A A A A A
Native - Does the RIA framework have access to local native code or executables? A A A A A A
DOM - Does the RIA framework have access to the DOM? A A A A A A
Controls - Does the RIA framework have access to other components within the DOM? A A A A A A
Self-Modify - Can an RIA modify the RIA framework? A A A A A A
DNS Pinning - Does the RIA framework protect against DNS pinning? A A A A A A


Retrieved from "https://wiki.owasp.org/index.php?title=RIA_Security_Smackdown&oldid=21073"